A “flaw” in the file format of the DICOM standard for the communication of medical imaging information could be exploited to hide malware in MRI and CT scans alongside other patient data, according to a new security research report.
The report from researchers at the security firm Cylera Labs says a weakness in the DICOM image file format if exploited, enables malware to infect patient data by directly inserting itself into medical imaging files. The report does not indicate that there is any evidence that the flaw has actually been exploited.
But Cylera Labs, in a statement provided to Information Security Media Group, contends that the DICOM flaw enables any malware to better evade detection and disrupt attempts to contain it, making it particularly attractive to attackers. This could help threats such as ransomware and information-stealing malware, which frequently affect healthcare organizations, infect larger portions of healthcare networks and connected systems, such as clinical workstations and medical devices.”
The DICOM standard is used by medical devices that produce imagery, such as CT and MRI machines; specialized workstations for analyzing scan results; and even phones and tablets used to view diagnostic information, Cylera notes.
The National Electrical Manufacturers Association drafted the standard and maintains it.
In a statement provided to ISMG, a security committee for the group says the 128 byte preamble in the DICOM file format – which Cylera researchers identified as a vulnerability – is actually a design feature that offers benefits.
The DICOM standard is maintained by a unit of the National Electrical Manufacturers Association’s Medical Imaging & Technology Alliance.
But to address any potential risks posed by the feature, the group says, “the mitigation that is already in place is the practice of decoding and saving only the DICOM content when images are exchanged between medical image archives.”
The “flaw” discovered in the DICOM file format specification could allow attackers to embed executable code within DICOM files to create a hybrid file that is both a fully functioning Windows executable as well as a specification-compliant DICOM image that can be opened and viewed with any DICOM viewer, the report says.
“Such files can function as a typical Windows PE file while maintaining adherence to the DICOM standard and preserving the integrity of the patient information contained within,” according to the report. “We’ve dubbed such files, which intertwine executable malware with patient information, PE/DICOM files.”
By exploiting this design flaw, the report says, attackers could “take advantage of the abundance and centralization of DICOM imagery within healthcare organizations to increase stealth and more easily distribute their malware, setting the stage for potential evasion techniques and multistage attacks.”
The fusion of fully functioning executable malware with HIPAA protected patient information adds regulatory complexities and clinical implications to automated malware protection and typical incident response processes, the researchers say.
Huge Potential Challenges
The vulnerability presents huge potential challenges, says former healthcare CIO David Finn, executive vice president of the security consultancy CynergisTek, and a member of the Department of Health and Human Services’ cybersecurity task force advisory panel.
Providers may find themselves in the unique position of having to retain malware-infected files.
—David Finn, CynergisTek
“You cannot just delete an infected file because you may be destroying patient data,” he says. “This is a scary blend of security issues with regulatory consequences and potentially huge patient care issues. It goes beyond HIPAA because each state has rules about retaining/destroying/modifying medical records.”
Providers may find themselves in the unique position of having to retain malware-infected files, Finn says. “So many of the technologies and standards developed for healthcare did not put a premium on security or privacy of data,” he adds. “It is time to change that. The security impacts are significant.”
Former healthcare CISO Mark Johnson of the consultancy LBMC Information Security offers a similar assessment.
“This means that healthcare entities are at more cyber risk than they even know,” he says.
“This is another example of how medical device security is the number one patient safety risk healthcare faces. The complexity of the healthcare environments means we must look everywhere for vulnerabilities, and this underscores the fact that some key standards might also have vulnerabilities that we wouldn’t have imagined even as little as a year ago. Therefore, we must look at new ways to understand the risks and how to react to them.”
‘Evasion, Spread and Persistence’ Finn notes that the Cylera Labs study groups the potential impact of the DICOM flaw, if exploited, into three key areas – evasion, spread and persistence.
“By embedding malware into what appears to be a normal DICOM image, there are no artifacts created, so opening the DICOM file will be ‘normal.’ It also allows for evasion by anti-virus software, so analysts/users won’t see anything, and neither will standard detection tools,” he says.
Because the malware resides within the DICOM images, it can spread wherever workflows support DICOM image transfer, he adds. “That could mean that systems such as PACS [picture archiving and communication systems] would provide a single infection point that could spread to a large number of clinical devices used for diagnostic and therapeutic treatments. Images are not only shared within an organization but between organizations, including referring doctors, consultants, imaging centers, outpatient clinics and payers. … The files will not only follow the patient, but could likely go to places the patient doesn’t physically go to.”
Because this PE/DICOM flaw fuses real patient data with malware, organizations that delete the malware risk losing patient data, he says. “This blend of a cybersecurity issue with regulatory consequences, clinical operations and patient care will make this a persistent issue until we work through these complicated impacts.”
Ben Ransford, president of healthcare cybersecurity firm Virta Labs, says the findings suggest a need for new tools to help healthcare entities mitigate the risks.
“The anti-malware industry should figure out how to scan DICOM files, if they haven’t already. It looks like this kind of trickery should be easy to detect,” he says. “It’s not clear how many vendors support this kind of trickery or depend on it in order to work, so I’d recommend healthcare entities have a talk with their DICOM vendors.”
Finn contends there is no easy fix for providers, device makers, the DICOM standards group or anti-virus makers to address the flaw’s risks.
“This will take everyone working together. It won’t be resolved tomorrow with a new patch from or a revision to the DICOM standard – although I would hope to see both,” Finn says. “The message here is for healthcare organizations to implement continuous monitoring for medical devices at the network and host levels for these PE/DICOM files and develop processes for quarantining of those files and inoculation of detected files without adverse impacts.”
In the meantime, the DICOM flaw needs to be put into perspective of other cyber concerns involving medical devices, Ransford contends.
“I worry that healthcare entities will spend scarce resources chasing potentially … malicious PE/DICOM files while Rome burns,” he says. “I worry that cybersecurity vendors will use this opportunity to scare healthcare providers into spending scarce resources on whiz-bang tools that address symptoms without considering the underlying disease.”
The discovery of cybersecurity vulnerabilities that present new cyber challenges for healthcare entities and device makers will escalate, says Kevin Fu, co-founder of Virta Labs and director of the Archimedes Center for Medical Device Security at the University of Michigan.
“We will likely see many security vulnerability reports for medical devices because of legacy products,” he says. “Hacking a medical device is easier than breaking down an open door. The harder engineering problem is how to effectively integrate security into medical devices by specification and design.”
In a statement provided to ISMG, Robert Horn of Fairhaven Technologies and Dr. Lawrence Tarbox, the co-chairs of the DICOM Working Group 14, Security Committee – say Cylera is mistakenly labeling a DICOM file format as a flaw.
The dual personality feature in the DICOM file format has legitimate uses and has contributed to DICOM’s growth as the primary standard for interchanging medical images.
—DICOM Security Committee
The 128 byte preamble in the DICOM file format “is a useful feature incorporated into the DICOM file format standard to allow for dual personality files,” the statement says. “A dual personality file is a file that looks like a DICOM file to DICOM-aware software, but can look like a TIFF file, for example, for consumption by software that is not DICOM-aware. Hence, a file holding a DICOM image can look like both a DICOM file as well as a TIFF file. This dual personality feature was created two decades ago by the medical ultrasound imaging industry to bridge the gap between their legacy scanners that worked in other file formats and the new generation scanners that could speak DICOM.”
The dual personality feature in the DICOM file format has legitimate uses and has contributed to DICOM’s growth as the primary standard for interchanging medical images, the co-chairs contend.
But to address the risks posed by the DICOM file format dual personality, “the mitigation that is already in place is the practice of decoding and saving only the DICOM content when images are exchanged between medical image archives. “
The DICOM file format is used when creating DVDs for patients and for inter-hospital exchanges, the statement notes. “All of the data import systems strip the header and non-DICOM content before storing the DICOM content into the hospital archive. The data import systems read the DVD with file execution disabled. The medical archives create a new safe header when they export to physical media or for web browsers. So malicious media will not transfer to hospital radiology environments.”
The statement also notes: “It is patients, doctors, and researchers that use these files directly and not through a DICOM archive, that are exposed. They need to take similar steps. If the added interoperability is not needed, the header can always be cleared without interfering with DICOM operation.”
The co-chairs also add that the DICOM-defined network transport mechanisms used to move DICOM data between systems within a hospital or clinical environment do not transport that 128 byte preamble.
“In general, we applaud industry efforts to strengthen systems against cybersecurity attacks. We do advocate for better education of users and developers about potential attack vectors and how to guard against them, as well as improving scanning software to guard against such threats.”
In a statement provided ISMG, Cylera Labs CTO Paul Bakoyiannis contends the “flaw” identified in DICOM “allows malware to become ePHI without affecting its ability to function. If you try to harm the malware you will now harm the ePHI.”
Deleting the malware will delete the ePHI, quarantining the malware will deny access to the ePHI, and sending the malware to a third party for analysis may leak the ePHI, he says. “Standard malware remediation processes would violate the data’s confidentiality and availability required by HIPAA.”
Anti-virus vendors and security teams must ensure that their processes for analyzing and containing malware recognize PE/DICOM files and handle them in ways that do not harm or expose the ePHI they contain, he says.